BACKGROUND 


Actions Taken Today 

Surescripts has barred ReMy Health’s access to its health information network, effective immediately, 
has initiated the process of terminating its contract with ReMy Health, and is in the process of turning 
the matter over to the FBI. We are taking this action after an investigation that showed ReMy Health 
gave one or more of its customers unauthorized access to the Surescripts network. This violates ReMy 
Health’s contract with Surescripts and, moreover, appears to be linked to fraudulent activity by either 
ReMy Health or the customers in question or both. This fraudulent activity appears to violate multiple 
federal and state laws. 

Details on Contract Violation 


ReMy Health, a third-party vendor, contracted with Surescripts to give providers access to patients’ 
complete medication history, in addition to other information relevant to electronic prescribing and 
prescription benefits. Medication history information is to be used by providers when delivering care to 
support clinical decision-making before prescribing new medications or during the normal process of 
provider-discharge planning for patients leaving a hospital or health system. This information can reveal 
a lot about an individual’s health status, including the most sensitive of healthcare conditions, so its 
appropriate handling is extremely important. 

Surescripts first began investigating ReMy Health last fall when we saw unusual activity on our network: 
almost all of ReMy Health’s requests for patient medication history were coming from one National 
Provider Identifier (NPI), a number issued to healthcare providers by the federal government. At that 
time, we alerted ReMy Health and they assured us that the requests for information were from 
providers caring for patients in hospitals and that they would work to correct the issue and fill the NPI 
field appropriately. 

After ReMy Health assured us that they had fixed the problem, we discovered that, contrary to their 
representations to us, ReMy Health has been providing access to medication history information to its 
customer PillPack. PillPack is not a hospital or a physician providing clinical care for patients, and 
therefore could not contract with Surescripts for this service. Although PillPack has its own NPI, we 
never received medication history requests that included their NPI. 

Details on Fraudulent Behavior 


Upon further investigation, we discovered that someone was fraudulently achieving the transfer of 
prescription history information to PillPack for patients who had registered with their service. Rather 
than using PillPack’s NPI (which it uses for electronic prescribing), PillPack’s requests for medication 
history included an NPI for a different health care provider. Further investigation has revealed that in at 
least some instances PillPack’s requests included the NPI of a random health care provider in the same 
geographic area as the patient rather than the NPI of a health care provider who has actually seen the 
patient. The full extent of this misappropriation of NPIs and the number of ReMy Health’s customers 
impacted is still under investigation by Surescripts, and we are hopeful that the FBI will be able to 
obtain additional information through its investigation. 

Surescripts has spent nearly 20 years establishing trusted relationships and legal agreements with 
hundreds of data suppliers and EHR vendors across the country to securely exchange health 
information. These agreements ensure that the information we exchange is only used for patient care 




and not for the commercial benefit of any one data supplier. These agreements also help ensure that 
patient data is properly secured. 



